From c399ec1a5a1e334ca2ae5a449ca396abc5b4d043 Mon Sep 17 00:00:00 2001 From: miod <> Date: Wed, 29 Jul 2015 19:16:09 +0000 Subject: Add linker warnings in case SSLv3_{,client,server}_method are referenced. Use of this symbols proves the existence of a code path willingly using SSLv3, even with OPENSSL_NO_SSL3 being defined, which hints that it needs fixing. Discussed with the LibreSSL cabal during c2k15; ok deraadt@ --- src/lib/libssl/s3_clnt.c | 8 +++++++- src/lib/libssl/s3_srvr.c | 8 +++++++- src/lib/libssl/src/ssl/s3_clnt.c | 8 +++++++- src/lib/libssl/src/ssl/s3_meth.c | 8 +++++++- src/lib/libssl/src/ssl/s3_srvr.c | 8 +++++++- 5 files changed, 35 insertions(+), 5 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 9a5ef826f6..b739711732 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.120 2015/07/19 07:34:52 doug Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,6 +170,12 @@ #include "bytestring.h" +#ifdef __OpenBSD__ +#include +__warn_references(SSLv3_client_method, + "SSLv3_client_method() enables the use of insecure protocols"); +#endif + static const SSL_METHOD *ssl3_get_client_method(int ver); static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index cd5bc2a6cb..7d2ec4d132 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.111 2015/07/18 01:42:26 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -166,6 +166,12 @@ #include "bytestring.h" +#ifdef __OpenBSD__ +#include +__warn_references(SSLv3_server_method, + "SSLv3_server_method() enables the use of insecure protocols"); +#endif + static const SSL_METHOD *ssl3_get_server_method(int ver); const SSL_METHOD SSLv3_server_method_data = { diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 9a5ef826f6..b739711732 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.120 2015/07/19 07:34:52 doug Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,6 +170,12 @@ #include "bytestring.h" +#ifdef __OpenBSD__ +#include +__warn_references(SSLv3_client_method, + "SSLv3_client_method() enables the use of insecure protocols"); +#endif + static const SSL_METHOD *ssl3_get_client_method(int ver); static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); diff --git a/src/lib/libssl/src/ssl/s3_meth.c b/src/lib/libssl/src/ssl/s3_meth.c index 8ad4efa7a8..c5f043e944 100644 --- a/src/lib/libssl/src/ssl/s3_meth.c +++ b/src/lib/libssl/src/ssl/s3_meth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_meth.c,v 1.13 2015/02/06 08:30:23 jsing Exp $ */ +/* $OpenBSD: s3_meth.c,v 1.14 2015/07/29 19:16:09 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,6 +62,12 @@ #include "ssl_locl.h" +#ifdef __OpenBSD__ +#include +__warn_references(SSLv3_method, + "SSLv3_method() enables the use of insecure protocols"); +#endif + static const SSL_METHOD *ssl3_get_method(int ver); const SSL_METHOD SSLv3_method_data = { diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index cd5bc2a6cb..7d2ec4d132 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.111 2015/07/18 01:42:26 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -166,6 +166,12 @@ #include "bytestring.h" +#ifdef __OpenBSD__ +#include +__warn_references(SSLv3_server_method, + "SSLv3_server_method() enables the use of insecure protocols"); +#endif + static const SSL_METHOD *ssl3_get_server_method(int ver); const SSL_METHOD SSLv3_server_method_data = { -- cgit v1.2.3-55-g6feb